Managing AWS multi-factor authentication

Creating a strong password policy in AWS is one step to protect data. If managed properly, multi-factor authentication adds another layer of protection.

Headlines about system breaches and compromised data will leave any systems or application manager questioning security controls, especially authentication methods. Even if you've created strong password policies for AWS users, you should have additional protection -- especially for the root account or for highly privileged users. Amazon's multi-factor authentication protects interactive and programmatic access to data and AWS resources.

Multi-factor authentication (MFA) is the practice of requiring two or more types of authentication entities -- typically, something you know and something you have. Amazon Web Services (AWS) uses MFA based on username-password authentication and one-time passwords. And MFA can be valuable for providing additional security, but it also requires additional management. There are a few things to keep in mind when managing AWS multi-factor authentication.

Manage multi-factor authentication on a user-by-user basis. Look at each end user's security privileges and use MFA to mitigate security risks if the user account could be used to compromise the integrity of data, leak confidential data to unauthorized users or incur substantial AWS resource usage charges.

Review compliance requirements. Depending on your industry and the type of data end users can access, admins may need to implement MFA to remain in compliance with regulations.

Determine costs associated with securing mobile devices. Administrators can enable MFA for an AWS account as well as for identity and access management (IAM) users. While MFA is suitable for a root account, consider costs before enabling MFA for IAM user accounts. There are costs associated with using hardware MFA devices, ranging from $12.99 to $19.99 per device, depending on the type of device used. Virtual MFA device apps are freely available for Android, iOS, Windows Phones and BlackBerry. Virtual MFA apps allow users to create multiple virtual MFA devices and associate them with different accounts.

If you are the owner of an account and the MFA device associated with it is stolen or malfunctions, you will have to contact AWS support. They will disable MFA so you can log in using only a username and password. If you are the owner of an AWS account and you have associated other IAM users with that account, you can disable MFA for those users using the administration console

Users who work with multiple accounts require multiple MFA devices. Each MFA device is associated with a single AWS root account or IAM user. If the use of hardware devices is required, users need multiple hardware devices. Virtual MFA devices may be a better option in these cases.

Link MFA with API access to services. You can use AWS multi-factor authentication to add more security control over services and accounts. For example, if you want to limit access to confidential data stored in AWS Simple Storage Service (S3), you could require multi-factor authentication to use the S3 API. It takes two steps to use MFA with API access to services. First, users need an MFA device associated with their user account and the system admin needs to create a policy with a condition verifying the end user has authenticated with an MFA device.

After an admin correctly establishes the user account and policy, end users can make calls to the API using the following procedure: The user issues an API call to either AssumeRole or GetSessionToken. As part of the call, the end user includes a device identifier and a one-time password. Each API returns a temporary security credential that is used with subsequent API calls.

About the author: Dan Sullivan holds a master of science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.